Url regex changes #302
Open
Url regex changes #302
Commits on Nov 9, 2015
-
The old URL regex had a few issues which were revealed by fuzzing, the biggest being that it accepted non-printable characters (e.g. 0x00 or 0x01) as part of the URL. This created the scenario where a url of https://example.com/[0x00] would be rendered as %2 (and attempting to open the link would give a value like "https://example.com https://example.com " due to some odd iteraction with the regex that I haven't quite worked out. The new regex appears to work with all the iterations I have tried and rejects non-printable characters.
-
Prevent attempts at phishing through unicode direction controls by forcing left-to-right display for links through html entity ‪ This is a fairly minor risk as a victim would have to go through many hoops and not see the obvious url issues. But better fixed than not.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.